Question 30
Domain 4 — Privacy Risk Assessment and Compliance ValidationWhich of the following is the BEST way to distinguish between a privacy risk and compliance risk?
Correct answer: B
Explanation
A privacy risk assessment is the best way to distinguish the two because it identifies risks tied to personal data handling, such as collection, use, disclosure, and retention. Compliance risk focuses on whether an organization meets legal or regulatory requirements, while privacy risk asks how data practices may harm individuals, so the assessment separates those concerns.
Why each option is right or wrong
A. Perform a privacy risk audit
An audit checks controls or evidence after the fact; it does not primarily distinguish risk types.
B. Conduct a privacy risk assessment
A privacy risk assessment is the appropriate tool because it evaluates processing of personal data against the principles and obligations in laws such as the GDPR, including Article 35 where a DPIA is required for processing likely to result in a high risk to individuals’ rights and freedoms. It distinguishes harm to individuals from mere legal nonconformance by examining collection, use, disclosure, retention, and safeguards, whereas compliance risk is assessed by whether the organization meets the applicable statutory or regulatory requirements.
C. Validate a privacy risk attestation
An attestation is a formal assertion of status, not an analysis separating privacy and compliance concerns.
D. Conduct a privacy risk remediation exercise
Remediation addresses known issues after identification; it is not the step used to classify them.